Share this story

An unemployed London man discovered a USB flash storage device lying on the street as he was headed to the library to check the Internet for job listings. When he got to the library, he plugged it in and found it was filled with security details for London's Heathrow International Airport—including security measures and travel details for Queen Elizabeth II. The man turned over the drive to a reporter at the Sunday Mirror.

On the flash drive were 76 folders of files, including security documents and maps of the airport. The maps included the location of every closed circuit television (CCTV) camera at the airport; routes and security protection measures for the Queen, Cabinet ministers and visiting foreign dignitaries; and maps of the airport's tunnels and escape shafts for the Heathrow Express train station.

Further Reading

Other documents included a timetable for anti-terrorism patrols at the airport, a documentation of the ultrasound system used by Heathrow security to check perimeter fences and runways for breaches, and details of the types of identification required to gain access to secure areas—including those used by covert security personnel. There were also photos of the security facilities used by the Queen.

In all, the drive contained 2.5GB of data—all of it unencrypted. In a statement to the press, a spokesperson for Heathrow said:

Heathrow’s top priority is the safety and security of our passengers and colleagues. The UK and Heathrow have some of the most robust aviation security measures in the world and we remain vigilant to evolving threats by updating our procedures on a daily basis. We have reviewed all of our security plans and are confident that Heathrow remains secure. We have also launched an internal investigation to understand how this happened and are taking steps to prevent a similar occurrence in future.

London Metropolitan Police were working with airport officials to determine how the data found its way out of the airport's offices.

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat

Methinks heads will roll once the source for this USB drive is uncovered. Glad the fellow who found it turned it over to a reputable publication, and wasn’t somebody who might have uploaded it all “for the lulz”...

Methinks heads will roll once the source for this USB drive is uncovered. Glad the fellow who found it turned it over to a reputable publication, and wasn’t somebody who might have uploaded it all “for the lulz”...

I'm glad he turned it over to the press and not the government -- where we would have never known about this.

Unencrypted USB...are we really still so bereft of basic security protocols that (apparently) high-level officials are walking around with unencrypted USB drives full of sensitive information? Someone's crumpets are going to roll over this one.

Ah yes. The classic Reverse USB Drop. Rather than dropping a USB with malware by a place you wish to get a backdoor into; you wait for someone to randomly drop a USB filled with critical information in the public.

Yeah reading the article it isn't 100% clear where the data came from. It coming from the airport is implied and that is one of the 3 possibilities I can see

1. Came from the Airport2. Came from the royal guard (I'm from the US and it would be the Secret Service over here)3. Came from a foreign actor / terrorist

Now the first 2 are bad opsec but less of an issue. The third option is bad opsec and a scary thought.

Probably 3. That's just my thoughts. Spies are still a thing in this day and age. Though they certainly aren't dumping info to their handlers like they used to in this day and age of overt observation.

Yeah reading the article it isn't 100% clear where the data came from. It coming from the airport is implied and that is one of the 3 possibilities I can see

1. Came from the Airport2. Came from the royal guard (I'm from the US and it would be the Secret Service over here)3. Came from a foreign actor / terrorist

Now the first 2 are bad opsec but less of an issue. The third option is bad opsec and a scary thought.

Probably 3. That's just my thoughts. Spies are still a thing in this day and age. Though they certainly aren't dumping info to their handlers like they used to in this day and age of over the observation.

If either 1 or 2 is true, then it was probably for 3. Not many people take this kind of information home from work for their own enjoyment.

How foolish. To give over this kind of information to a newspaper? Why not call the police? These are the types of things that should be protected. Especially considering the near impossibility to CHANGE any of this information now that it is public (besides things like patrol patterns). If a major incident occurs at Heathrow, where terrorists exploit this information, we should all point our fingers back at this guy.

Because it's important for the public to know that the government may have security issues that need to be fixed. Letting anyone walk out of a government facility with that information on a USB stick, even worse one that is unencrypted, is absurd.

So long as the contents themselves weren't provided, and only a listing of the contents, then taking it to the press was the right move. The press can then turn it over to the proper authorities.

Reading this, I thought that having a malware-installing flash drive loaded with such juicy bait might be an effective method of gaining access to a system you couldn't otherwise get your "lost" flash drive plugged in to. Possibly.

Yeah reading the article it isn't 100% clear where the data came from. It coming from the airport is implied and that is one of the 3 possibilities I can see

1. Came from the Airport2. Came from the royal guard (I'm from the US and it would be the Secret Service over here)3. Came from a foreign actor / terrorist

Now the first 2 are bad opsec but less of an issue. The third option is bad opsec and a scary thought.

Probably 3. That's just my thoughts. Spies are still a thing in this day and age. Though they certainly aren't dumping info to their handlers like they used to in this day and age of over the observation.

If either 1 or 2 is true, then it was probably for 3. Not many people take this kind of information home from work for their own enjoyment.

Except the NSA had a few cases recently of where people did exactly that, only for it to backfire spectacularly. I expect that that's just the tip of the iceberg when it comes to data being where it isn't supposed to be.

How foolish. To give over this kind of information to a newspaper? Why not call the police? These are the types of things that should be protected. Especially considering the near impossibility to CHANGE any of this information now that it is public (besides things like patrol patterns). If a major incident occurs at Heathrow, where terrorists exploit this information, we should all point our fingers back at this guy.

Because it's important for the public to know that the government may have security issues that need to be fixed. Letting anyone walk out of a government facility with that information on a USB stick, even worse one that is unencrypted, is absurd.

So long as the contents themselves weren't provided, and only a listing of the contents, then taking it to the press was the right move. The press can then turn it over to the proper authorities.

QFT.There is a high likelyhood that this is a government fuck-up. If given back to the government, do you think anyone would know? Would there be any changes except perhaps some job reassignments? At least with public knowledge there is a chance of change, however slim.

The guy, and the library, was fortunate in a way. The USB stick could have also been a Trojan Horse dropped for the purpose of infecting whatever computer it was plugged in to.

But to the point of the article, I hope that they track down the owner. If it is someone in airport security, they need to be fired, if it is a hacker or foreign operative, they need to be found.

Who says it's not all part of the plan anyway? Remember, malware like Stuxnet was designed to work only on specific platforms and remain hidden otherwise. Who doesn't think that such an item wasn't planted with the expectation that someone at GCHQ wouldn't end up plugging it into something and ultimately giving full backdoor access to government systems?

How foolish. To give over this kind of information to a newspaper? Why not call the police?

He may not have really known what he had found. He may have seen a couple of documents and decided it was interesting and went to the newspaper. The newspaper then discovers the true scope of the information that was on the drive. He also may be trying to avoid the police because of run-ins in the past and the possibility of being charged with stealing, or in possession of, state secrets. The police are not always the best choice.

The guy, and the library, was fortunate in a way. The USB stick could have also been a Trojan Horse dropped for the purpose of infecting whatever computer it was plugged in to.

But to the point of the article, I hope that they track down the owner. If it is someone in airport security, they need to be fired, if it is a hacker or foreign operative, they need to be found.

Fired? They need to be publicly flogged. This is why we don't walk around with sensitive data on unencrypted storage people. I think if they make a good example of whoever it is that put this stuff on this drive, it should hit home and create that sense of urgency in people they seem to be lacking.Of course, this assumes that the person who put that stuff on the drive had rights to do so. Maybe it was dropped by a clumsy criminal--or another dumbass contractor/employee for a security agency walking out of work with sensitive data.

Unencrypted USB...are we really still so bereft of basic security protocols that (apparently) high-level officials are walking around with unencrypted USB drives full of sensitive information? Someone's crumpets are going to roll over this one.

I'm willing to bet the farm that this is NOT from someone who was authorized to obtain or carry it.

What I do question is whether or not the data is accurate. That is to say if it's dummy data for some kind of sting operation against wannabe domestic terrorists. If it's accurate data, then the only conclusion is that it was obtained to set up an attack.

The notion that their opsec is bad enough to allow that kind of information out unencrypted on a USB stick indicates such a high level of opsec failure that it beggars the imagination. If it's accurate data, then it was deliberately obtained for some very bad reasons.

I foresee a lot of sleepless nights for counter-terrorism professionals world wide, and Heathrow security specifically, for the foreseeable future.

How foolish. To give over this kind of information to a newspaper? Why not call the police? These are the types of things that should be protected. Especially considering the near impossibility to CHANGE any of this information now that it is public (besides things like patrol patterns). If a major incident occurs at Heathrow, where terrorists exploit this information, we should all point our fingers back at this guy. How has it become so crazy that people have no sense of national pride and patriotism anymore? Turning it into the newspaper ensures you become famous..and that's much more important than national security.

There may be not public benefit to the information being given to the press, but there IS public benefit to the press being made aware of such a ludicrous failure of security on the part of the government etc.

These are the people who want access to everyone's data in massive databases, and to be trusted with golden encryption keys that they promise to keep safe. Their ability, or apparently lack there of, to protect security information such as this is an important consideration before deciding if they should be given that.

Clearly they do not possess the necessary wit to actually safeguard that kind of data and knowing that is directly relevant to the public interest and the ongoing encryption discussion where the government's argument hinges on "Trust us, we know what we're doing".

How foolish. To give over this kind of information to a newspaper? Why not call the police? These are the types of things that should be protected. Especially considering the near impossibility to CHANGE any of this information now that it is public (besides things like patrol patterns). If a major incident occurs at Heathrow, where terrorists exploit this information, we should all point our fingers back at this guy. How has it become so crazy that people have no sense of national pride and patriotism anymore? Turning it into the newspaper ensures you become famous..and that's much more important than national security.

Yes, it is indeed sad that we cannot trust our own police agencies. Perhaps he was afraid of somehow being implicated? Going to the press protects this unemployed person from simply disappearing.

Ah ! It is a really old trick... Hacking intrusion do not worth it when you only have to drop a CD labeled "Employee Salaries" near the entrance of the office. This CD is infected with remote access backdook of course

Reading this, I thought that having a malware-installing flash drive loaded with such juicy bait might be an effective method of gaining access to a system you couldn't otherwise get your "lost" flash drive plugged in to. Possibly.

How foolish. To give over this kind of information to a newspaper? Why not call the police?

He may not have really known what he had found. He may have seen a couple of documents and decided it was interesting and went to the newspaper. The newspaper then discovers the true scope of the information that was on the drive. He also may be trying to avoid the police because of run-ins in the past and the possibility of being charged with stealing, or in possession of, state secrets. The police are not always the best choice.

Exactly. In the US at least (don't know about UK) shield laws can offer some protection to the guy that found the for USB device.

The legitimate press is not going to willy nilly publish the contents. But they certainly would publish that it was found and an analysis of the critical nature of the data.

Reading this, I thought that having a malware-installing flash drive loaded with such juicy bait might be an effective method of gaining access to a system you couldn't otherwise get your "lost" flash drive plugged in to. Possibly.

You're right, it's a great way of hacking the public library system!

Wait till you end up with library fees. How else will you get rid of that $7.42 fee after you lost a book you rented.

Me too, but then I read that he plugged it into somebody else's computer, so that's OK.

About why not turn this over to the cops? I wouldn't, I'd want to avoid explaining ad nauseum that I found it on the sidewalk. I'd expect trouble from them: with good choices about who I was in line as at the convenience store probably only a few dozen hours of questions.Edit changed with to as.

Unencrypted USB...are we really still so bereft of basic security protocols that (apparently) high-level officials are walking around with unencrypted USB drives full of sensitive information? Someone's crumpets are going to roll over this one.

It's funny, the lack of a single homogeneous system throughout every department and every branch makes carrying encrypted information difficult for gov employees. There is little chance of someone else having the correct software to decrypt it. The only way to transfer lots of data is unencrypted USB sticks. Doubly so if your in a department that doesn't allow you to install stuff on your PC as not only do you not have the software, you are unable to get it.

They'd need to pay lots of money (which is in negative supply) for commercial/home gown encryption software and a license for every employee. I don't see that happening given the mammoth cost. The other would be an open source alternative they could just pay to audit every now and then before they update. However given their current desire to get rid of encryption as much as is practical it would be difficult for them to embrace an open source program with their left hand as their right hand tried to insert backdoors into it. Although governments have been known to display such a dual personality before (see Tor and the US).

But even ignoring that, it's the problem that's been articulated many times before. Security is a PITA. Many tech savvy individuals have given up on PGP etc. because it's just such a pain to use. Good luck getting technically illiterate government employees to take up levels of security that tech savvy users barely manage to tolerate.